Forwarded from the National Cybersecurity Information Sharing and Analysis Center: Cybersecurity Alert NISAC-200-202603-00000006

[Content Description]
Researchers have discovered two high-risk security vulnerabilities (CVE-2026-22719 and CVE-2026-22720) in Broadcom VMware. The types are command injection and stored cross-site scripting, respectively. The former, occurring during the Aria Operations support-assisted product migration process, allows unauthenticated remote attackers to execute arbitrary commands on affected devices. This vulnerability has already been exploited by hackers. The latter allows remote attackers with custom benchmarking privileges to inject malicious scripts and then perform system operations with administrator privileges. Please confirm and patch these vulnerabilities as soon as possible.

[Affected Platforms]
VMware Aria Operations versions 8.05 to 8.18.6 (excluding 8.18.6) and earlier
VMware Cloud Foundation versions 4.0 to 5.2.3 (excluding 5.2.3) and earlier
VMware Cloud Foundation versions 9.0 to 9.0.2.0 (excluding 9.0.2.0) and earlier
VMware Telco Cloud Platform versions 4.0 to 5.1 (inclusive) and earlier
VMware Telco Cloud Infrastructure versions 2.2 to 3.0 (inclusive) and earlier

[Recommended Actions]
An official patch has been released to fix the vulnerability. Please refer to the official instructions to update. The URL is as follows: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947

[References]
1. https://nvd.nist.gov/vuln/detail/CVE-2026-22719
2. https://nvd.nist.gov/vuln/detail/CVE-2026-22720
3. https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36947